Mastering OpenCTI Deployment with Docker 🛡️

04/09/2024 10/09/2024 security 4 mins read
Table Of Contents

Understanding OpenCTI

OpenCTI (Open Cyber Threat Intelligence) represents a significant advancement in threat intelligence management. At its core, it’s an open-source platform that transforms how organizations handle cyber threat intelligence, providing a comprehensive solution for collecting, analyzing, and sharing threat data.

Key Benefits

The platform offers several advantages that make it invaluable for security teams:

  1. Centralized Intelligence Management: Consolidates threat data from multiple sources into a single, searchable platform
  2. Advanced Analysis Capabilities: Enables deep analysis of threats through relationship mapping and visualization
  3. Automated Data Processing: Reduces manual effort through automated ingestion and processing of threat intelligence
  4. STIX/TAXII Compatible: Natively supports industry-standard threat intelligence formats
  5. Extensible Architecture: Allows integration with various threat intelligence sources through connectors

System Architecture

OpenCTI’s architecture is built on several key components, each serving a specific purpose:

  • Frontend: React-based web interface for user interaction
  • API: GraphQL API for data access and manipulation
  • Workers: Distributed processing units for handling tasks
  • Database Layer: Elasticsearch for data storage and search capabilities
  • Message Broker: RabbitMQ for reliable message queuing
  • Object Storage: MinIO for storing files and attachments
  • Cache Layer: Redis for performance optimization

Prerequisites

system-setup.sh
# Update system packages
apt update && apt upgrade -y


# Install required packages
apt install docker-compose jq -y


# Configure system settings
echo "vm.max_map_count=1048575" >> /etc/sysctl.conf
sysctl -p


# Create application directory
mkdir -p /opt/opencti && cd /opt/opencti

Deployment Configuration

Let’s examine the deployment configuration in detail:

docker-compose.yml
version: '3'
services:
  redis:
    image: redis:7.2.5
    restart: always
    volumes:
      - redisdata:/data


  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.13.4
    volumes:
      - esdata:/usr/share/elasticsearch/data
    environment:
      - discovery.type=single-node
      - xpack.ml.enabled=false
      - xpack.security.enabled=false
      - "ES_JAVA_OPTS=-Xms${ELASTIC_MEMORY_SIZE} -Xmx${ELASTIC_MEMORY_SIZE}"
    restart: always
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536


  # Additional services configuration...

Environment Configuration

Create a .env file with necessary configurations:

environment-setup.sh
cat << EOF > .env
[email protected]
OPENCTI_ADMIN_PASSWORD=ChangeMePlease
OPENCTI_ADMIN_TOKEN=$(cat /proc/sys/kernel/random/uuid)
OPENCTI_BASE_URL=http://localhost:8080
MINIO_ROOT_USER=$(cat /proc/sys/kernel/random/uuid)
MINIO_ROOT_PASSWORD=$(cat /proc/sys/kernel/random/uuid)
RABBITMQ_DEFAULT_USER=guest
RABBITMQ_DEFAULT_PASS=guest
ELASTIC_MEMORY_SIZE=8G
CONNECTOR_ANALYSIS_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_HISTORY_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_CSV_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_IMPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_TXT_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_IMPORT_DOCUMENT_ID=$(cat /proc/sys/kernel/random/uuid)
SMTP_HOSTNAME=$(hostname)
EOF

Integrating Threat Intelligence Sources

MITRE ATT&CK Integration

The MITRE connector provides comprehensive mapping of tactics, techniques, and procedures:

mitre-connector.yml
connector-mitre:
  image: opencti/connector-mitre:6.2.6
  environment:
    - OPENCTI_URL=http://opencti:8080
    - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
    - CONNECTOR_ID=95996acf-1b08-4492-b66f-f54a46f14398
    - "CONNECTOR_NAME=MITRE Datasets"
    - CONNECTOR_SCOPE=tool,report,malware,identity,campaign,intrusion-set,attack-pattern,course-of-action
    - MITRE_INTERVAL=7
  restart: always
  depends_on:
    - opencti

MalwareBazaar Integration

Configure the MalwareBazaar connector for malware intelligence:

malwarebazaar-connector.yml
connector-malwarebazaar:
  image: opencti/connector-malwarebazaar-recent-additions:6.2.6
  environment:
    - OPENCTI_URL=http://opencti:8080
    - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
    - CONNECTOR_ID=51ebc133-58c4-4a8b-9afc-4177e597cc91
    - MALWAREBAZAAR_RECENT_ADDITIONS_INCLUDE_TAGS=exe,dll,docm,docx,doc,xls,xlsx,xlsm,js
  restart: always
  depends_on:
    - opencti

Post-Deployment Steps

After deploying OpenCTI, several important steps should be taken:

  1. Security Hardening:

    • Change default passwords
    • Configure SSL/TLS
    • Set up network security groups
    • Enable authentication for all services

  2. Connector Verification:

    • Check connector logs for proper initialization
    • Verify data ingestion from each source
    • Monitor connector performance

  3. Performance Tuning:

    • Adjust Elasticsearch settings based on data volume
    • Configure worker counts for optimal processing
    • Monitor and adjust cache settings

  4. Backup Configuration:

    • Set up regular backups of Elasticsearch data
    • Configure MinIO backup strategy
    • Document recovery procedures

Best Practices and Common Pitfalls

When operating OpenCTI, consider these important guidelines:

  1. Resource Management:

    • Monitor Elasticsearch heap usage
    • Watch for worker queue buildup
    • Regular cleanup of old data

  2. Data Quality:

    • Implement data validation procedures
    • Regular auditing of imported data
    • Maintain consistent tagging practices

  3. Performance Optimization:

    • Index optimization in Elasticsearch
    • Proper caching configuration
    • Regular maintenance windows

Troubleshooting Guide

Common issues and their solutions:

  1. Elasticsearch Issues:

    elastic-troubleshoot.sh
    # Check cluster health
    curl -X GET "localhost:9200/_cluster/health?pretty"
    

    # Clear caches if needed
    curl -X POST "localhost:9200/_cache/clear?pretty"

  2. Connector Problems:

    connector-logs.sh
    # View connector logs
    docker logs -f opencti-connector-mitre
    

    # Restart problematic connector
    docker-compose restart connector-mitre

Conclusion

OpenCTI provides a robust platform for threat intelligence management, but proper deployment and maintenance are crucial for its effectiveness. Regular monitoring, updates, and optimization ensure the platform continues to serve its purpose in your security infrastructure.

Remember to regularly check for updates and new connector releases, as the threat intelligence landscape is constantly evolving.